Enhancement: Exclude Inactive Identities from Attribute Sync!

kirby_fitch · October 3, 2024, 2:20pm

Description

SailPoint is excited to announce that Inactive (long-term) identities will be excluded from the attribute sync process! This enhancement is available in all sandbox tenants. It will begin rolling out to production tenants on October 7, 2024.

This enhancement was a top request following the initial release of New Capability: Management of Inactive Identities. Administrators will have more control over the the last update to leavers’ accounts, and see a reduction in unneeded provisioning load.

Problem

Attribute syncs to inactive identities’ accounts are unneeded in most cases. The extra traffic can cause infrastructure problems and interfere with leaver processes. 51 voters have asked us to solve this problem in this idea.

Solution

Inactive (long-term) identities will be excluded from the attribute sync process except when:

The identity just became inactive (long-term). In this scenario, the system provisions one last sync to handle for OU moves, deletions, etc. specified in a Before Provisioning rule.
The administrator requests it via the Synchronize Attributes action. Synchronize Attributes can also be called via /beta/identities/:identityId/synchronize-attributes.

What’s the updated view of how the three identity states are used?

Active identities will be included in all services. Inactive (short-term) will be excluded from some services. Inactive (long-term) will be excluded from most services.

Area	Active	Inactive (short-term)	Inactive (long-term)
Identity Picklists in Request Center	Included	Excluded	Excluded
My Team UI for Managers	Included	Excluded	Excluded
Scheduled Processing	Included	Included	Excluded
Apply Changes on Roles, Access Profiles, and Apps UIs	Included	Included	Excluded
Attribute Sync	Included	Included	Excluded
Apply Changes on Identity Profiles UI	Included	Included	Included
Processing for Select Identities	Included	Included	Included
Identity Attribution Promotion after Accounts Updated in Aggregations	Included	Included	Included

What if I need to sync attributes for recent leavers?

You might require a recent leaver lifecycle state in addition to a long-term leaver lifecycle state if you need to sync attributes for recent leavers. For example, it’s common to see a two-stage termination step with lifecycle states named Terminated < 90 days and Terminated < 90 days. Identities in Terminated < 90 days would receive syncs because their lifecycle state is marked Inactive (short-term). Identities in Terminated > 90 days would not receive syncs because their lifecycle state is marked Inactive (long-term). Hold identities in the first-stage lifecycle state as long as you’re required to sync attributes.

Lifecycle states
Pre-Hire	Active
Active	Active
Leave of Absence	Active
Terminated < 90 days	Inactive (short-term)
Terminated < 90 days	Inactive (long-term)

What if I need to sync attributes for long-term leavers?

To continue the previous example, you might need to sync attributes for identities in the second-stage lifecycle state (Terminated < 90 days). In this scenario, the administrator can use the Synchronize Attributes action. Synchronize Attributes can also be called via /beta/identities/:identityId/synchronize-attributes.

Will attributes sync when an identity just became a long-term leaver?

The system will complete one last attribute sync when an identity enters a lifecycle state that is configured as Inactive (long-term). This covers most use cases concerning OU moves, deletions, etc. specified in a Before Provisioning rule.

Who is affected?

All customers who have implemented both identity states and attribute sync.

Action Required

Review and implement the Identity States feature if you haven’t yet. The Identity States feature enables you to mark identities as inactive to exclude them from access requests, manager views, and more. This enhancement adds one more reason to enable the Identity State feature. A guide to enable the feature is available here: New Capability: Management of Inactive Identities.

Important Dates

Sandbox: Monday, September 30th
Production: The week of Monday, October 7th

Additional Resources

New Capability: Management of Inactive Identities

jroozeboom · October 4, 2024, 2:50pm

Will there be the ability to turn it on for all statuses for a specific source? We have scenarios were some security attributes have to be changed after a termination to an account that can’t be deleted and is only disabled. I’m curious if we are going to have to start working a daily report to catch ones that didn’t get updated during the “one last chance” run.

kirkkenton · October 4, 2024, 3:36pm

Wait? Really? This is a thing? please do not do this in the way you have it documented. This should be configurable. We literally just went live with AD provisioning and attribute sync and the timing of this is not good. Also, why not allow the customer to choose rather than make this decision based on 51 customers?
DOWN VOTE!!!

kirkkenton · October 4, 2024, 3:38pm

Also, if this went live in Sandbox Sept 30, why am i just getting the notice in the UI yesterday? C’mon SailPoint! do better!

kirby_fitch · October 4, 2024, 7:05pm

Hi Jill,

I added a bit more context to the announcement explaining the configuration options that are available here. There are a couple ways to ensure those “last syncs” happen as desired.

kirby_fitch · October 4, 2024, 7:06pm

We agree. The posts are supposed to be timed with when the item goes to sandbox. We had some trouble with the automation on this. The in-app notice did go out on time. Sorry about that.

kirby_fitch · October 4, 2024, 7:08pm

Hi Kirk,

We’ll get a meeting scheduled with you early next week. Joel will be in touch with details.

benjaminoriold · October 4, 2024, 10:19pm

Agree that this should be configurable, stop forcing us into changes that could easily fit everyone’s needs if we just had options rather than “that’s just how it is now”. The idea is great and I very much see why the change was made, but please never get rid of our options in the process.

kirby_fitch · October 7, 2024, 3:05pm

Hi Benjamin,

Thanks for this. We did have to strike a balance here, and we did consult a good number of customers in the process of designing this. I added a bit more context to the announcement explaining the configuration options that are available here.

austin_alexander · October 17, 2024, 8:03pm

I am not seeing a “last” attribute sync when the lifecycle changes to terminated and I am also not seeing the API attribute sync working either in our sandbox

kirby_fitch · October 18, 2024, 2:49pm

Hi Austin,

We did fix a bug where syncs were being blocked for inactive_long_term identities when using either Synchronize Attributes button or this endpoint. The fix was deployed yesterday. Could you try that again, please?

Could you give me a quick bulleted list of how your “last” attribute sync use case is working?

austin_alexander · October 18, 2024, 9:18pm

It is not working. Ive tried via API and changing lifecycle states.

ryanyamayama · November 19, 2024, 3:56pm

The change shouldn’t affect how the lifecycle state calculation works for inactive identities should it?

kirby_fitch · November 19, 2024, 5:36pm

Hi @ryanyamayama ,

No, it would not. Identity State and Lifecycle State are two separate attributes. The Identity State is of course determined by the Lifecycle State.

Topic		Replies	Views
Users with Identity State : Inactive (Long term) were able to add as Reviewer in Certification campaigns ISC Discussion and Questions identity-security-cloud , certifications	5	69	November 24, 2024
New Capability: Management of Inactive Identities Product News identity-security-cloud , provisioning , new-capability	99	8933	February 4, 2025
POST /api/system/refreshIdentities Non-Public API Deprecations deprecated	11	1436	April 26, 2024
SailPoint identity delete ISC Discussion and Questions identity-security-cloud , provisioning	5	116	November 25, 2024
SailPoint aggregation filter ISC Discussion and Questions identity-security-cloud	3	86	December 3, 2024